Categories

Links

Your personal data is not safe; but it never really was.

The hot topic in US politics today is the use of a federal “dragnet” used to take a peek at pretty much every digital communication a modern American creates. Many federal organizations are reportedly in on it, including the FBI, DOJ, DOD, and NSA, making many people go WTF.

But, as an engineer and a former employee of one of those arcane three-letter organizations, I have a different perspective than most.

There are real reasons to be concerned about big government encroaching too much into our lives, and there are real reasons to be concerned about potential abuses of overreaching powers. Government should not be trusted blindly. But there’s also a lot of fake and/or misguided outrage here.

There are two major components of the leak-fest of late: One, the government has accessed logs of which phone number called which other number and for how long. These logs contained data from all of Verizon’s customers, and perhaps those on other networks. Let me address this one first. This kind of system has existed for a long time, and it’s called a pen register. Pen registers log the very basics of a phone call; the original systems only recorded the numbers involved, but newer ones can record the duration and location of the numbers as well. There have been laws governing the use of pen registers since the late 60s, but in the past 30 years or so the laws have been revisited to account for new technology. Still, the Supreme Court ruled way back in 1979 that pen registers do not pass the “reasonable expectation of privacy” test. I usually don’t quote WikiPedia, but the wiki on pen registers is quite accurate here:

[The Supreme Court] overturned Olmstead v. United States and held that wiretaps were unconstitutional searches, because there was a reasonable expectation that the communication would be private. The government was then required to get a warrant to execute a wiretap.

Ten years later the Supreme Court held that a pen register is not a search because the “petitioner voluntarily conveyed numerical information to the telephone company.” Smith v. Maryland, 442 U.S. 735, 744 (1979). Since the defendant had disclosed the dialed numbers to the telephone company so they could connect his call, he did not have a reasonable expectation of privacy in the numbers he dialed. The court did not distinguish between disclosing the numbers to a human operator or just the automatic equipment used by the telephone company.

So, there you have it. Wiretaps need warrants, but just looking at the call logs does not. This is not new. This ruling happened before I was even born. But there’s a key factor to latch on to here: a “reasonable expectation of privacy”. We as a society have forgotten what that means, or perhaps never fully understood it in the first place.

There is a deep-rooted and understandable personal fear at the core of all this. It’s not about having “nothing to hide”, and it’s not about distrusting government, or thinking Bush or Obama is the anti-christ. It’s about privacy, and how we often take it for granted.

There’s a subtle but important difference between secrecy and privacy. Here’s an example of that difference: We all poop. Everyone knows we poop. It’s not a secret matter, but it is a private matter, and we’d all bitch up a storm if some “authority” said that even one person was allowed to see us pooping at work or at home.

But, if you poop in the alley, well…there’s no reason to expect total privacy. Using GMail, Hotmail, Yahoo, Facebook, etc…it’s all the equivalent of pooping in the alley. Any assumptions of true privacy here are misguided. It’s not likely that anyone will see you doing your dirty business in that alley, but it is quite possible that someone might, and you can’t blame someone for invading your privacy if you do that.

That leads me to the second aspect of this leak-fest: Google, Microsoft, and other email providers/social networks have been providing the government with data. To me, this should not come as a surprise, nor should it be particularly scary. The truth is that pretty much all this stuff the government has access to is already accessible by employees or contractors of the corporations who operate our favorite things, and these companies have even less oversight and responsibility than the government. You might be surprised if you knew how many average salary guys could access your Facebook, Google, or Microsoft data at any given time. Not too long ago, two Google engineers were fired for abusing their awesome technology superpowers, but you should seriously consider how many of them do less egregious things and get away it.

Facebook knows who your friends are, where you’ve been, what you like to eat, what your friends like to do, and hundreds of other data points. You willingly gave a huge corporation access to your life, just so they could send you some ads.

“Like many email providers, Outlook.com scans the content of your email to help protect you and prevent spam, gray mail, phishing scams, viruses, malware, and other dangers and annoyances. It is just like how the postal service sorts and scans mail and packages for dangerous explosive and biohazards”

See, they’re just looking through email for your protection. To keep you safe from harm. Sound familiar?

You already have corporations running programs through your emails for their own purposes. Sometimes, as in GMail’s case, it’s purely to show you ads based on your email messages. This so-called invasion of your privacy has been happening for some time, with your consent (you agreed to the terms and conditions, folks!). Does the situation really change when it’s Uncle Sam doing it instead of “Don’t Be Evil” Google? One could argue that at least the government can do some good things with that data in some cases (e.g, stopping people who blow up things).

Governments, corporations, and regular citizens must all adapt to the rapidly-changing digital world where we so freely and gratefully use products controlled by multi-billion dollar organizations, and create laws and processes to keep a healthy balance between security and spying on the very people we’re trying to protect. But don’t expect privacy unless you work to keep things private (encryption is good, so is taking your info out of “the cloud”). In our real homes we close the doors, draw the window shades, and keep our dirty laundry hidden from view. For some reason we’ve lost that common sense when it comes to our digital homes. Maybe we shouldn’t vilify the politicians or the CEOs for this kind of stuff. Maybe we should simply realize that we’ve been exposing too much of ourselves for too long.